Data Protection in Singapore

Data protection laws in Singapore

Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) on October 15, 2012, and it was subsequently amended / enhanced via the Personal Data Protection (Amendment) Act 2020 (together, the “Act”).

The Act has extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore whether or not the organization itself has a physical presence or is registered as a company in Singapore.

In addition to the Act, the Singapore data protection regime consists of various general or sector / industry-specific guidelines issued by the Personal Data Protection Commission (“Commission”). While these guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best practice to carefully observe and follow these guidelines.

The data protection obligations under the Act do not apply to the public sector, to whom separate rules under the Government Instruction Manual 8 (“IM8”) and the Public Sector (Governance) Act apply. Collectively, these rules provide comparable standards of data protection compared to the Act, including similar investigations and enforcement actions taken against data security breaches. The Public Sector Data Security Review Committee was convened on March 31, 2019 to conduct a comprehensive review of data security policies and practices across the public sector. The Government implemented its recommendations and adopted changes to its data security measures. Examples include:

  • Requiring officers to password-protect files containing sensitive data when sending out; and
  • Enhancing the data incident management framework with standardized process to notify affected individuals in data incidents and conduct post-incident inquiry.

Continue reading

  • no results

Back to top